Yesterday, as part of the discussions related to Lemmy current inability to delete all user content I wrote a proposal: if enough people stepped up to help with funding, I’d take my work on my Fediverser project (which already has an admin web tool that “knows” how to interface with Lemmy) to solve all the GDPR-specific issues that we were raised by @[email protected]

The amount asked is, quite frankly, symbolic. I offered to work 10h/week on it if at least 20 people showed up to contribute via Github (which would be $4/month) or to signup to my instance (which access is given via a $29/year subscription). In other words, I’m saying “Give me $80/month and I will work 40 hours per month on this thing which so many of you are saying is critical to the project.”

So now that we have passed 24 hours, 58 upvotes and a handful of “that’s great!” responses, let me tell you how that translated into actual supporters:

  • Zero sponsors on Github
  • Zero signups on Communick.

Don’t take this as me demanding anything. I’m writing this just to illustrate the following:

  • The Tragedy of the commons is real. I can bet that at least 30% of the 60+ thousand users on Lemmy are proud owners of a pricey iPhone, and most of these are okay with paying for an app to use on their pricey iPhones, but almost none of them will even consider throwing a few bucks per year on the way of an open source developer.

  • The Outrage Mill is not a “capitalist” or even “corporate” phenomenon. People were piling on the devs yesterday for completely ignoring “such a crucial piece of functionality”, but no one actually stepped up to offer (or gather) the resources needed to have this problem solved. It’s almost as if people were getting more out of the discussion about the problem than working through a solution.

  • “Skin In The Game” is a powerful filter. No matter how much people will tell you that something is important to them, the true test is seeing how many are willing to pay the asking price. If not people are not willing to pay $2 per hour of work, then I can assume that this is not really important.

  • Max-P@lemmy.max-p.me
    link
    fedilink
    English
    arrow-up
    3
    ·
    10 months ago

    User generated content != PII.

    Aren’t the usernames an identifier and therefore PII? As far as I understand you can’t even use a cookie or the user’s IP to determine unique visitors on a site because it identifies the user personally.

    On the fediverse, every comment, every vote, every moderator action is completely public, and tied to the username. Unless the username is a throwaway and the user never ties it to their real identity in any way, that builds a ridiculously detailed profile of the user’s habits online. And still, you get enough of a profile I don’t doubt Google or Meta could manage to connect it to your profile easily unless you’re actively using a different persona.

    It’s all completely public and available to anyone that wants it.

    It’s even worse, images aren’t proxied right now so you can actually tie a username to an IP rather easily if you don’t use a VPN or block outside resources by default.

    Your IP

    Not exactly a new threat to be fair, but really the only thing not being broadcasted everywhere about the user is their email address.

    I guess the best one can do is clearly inform the user about the risks involved and honor incoming deletion requests properly, but man if a child get abused on the fediverse and you can barely yank the content, I can see a judge ruling that the fediverse as a whole is reckless.

    What’s stopping you (or anyone else) to just bypass authorized fetch and swallow the data stream from anyone?

    Exactly.

    • rglullis@communick.newsOP
      link
      fedilink
      English
      arrow-up
      2
      arrow-down
      2
      ·
      10 months ago

      To my understanding, the key part is that you are supposed to disclose any type of information that you are sharing with third-parties through back channels.

      If you set a third-party tracking cookie on your site, then yes, the third-party can use the cookie to correlate users from different sites. But if you do what you just did and place a image that displays the IP, how can any third-party access this information? You have my IP and a request log, so what? Is there any way that another Lemmy instance can use this to identify me?

      On the fediverse, every comment, every vote, every moderator action is completely public, and tied to the username.

      And distribution/collection of public information is not what the GDPR is trying to regulate!

      • Kayn@dormi.zone
        link
        fedilink
        English
        arrow-up
        1
        ·
        10 months ago

        Can you show where the GDPR excludes public information? Because if it doesn’t and can uniquely identify a person, then it’s still subject to this regulation.

        • rglullis@communick.newsOP
          link
          fedilink
          English
          arrow-up
          2
          ·
          10 months ago

          Let’s say you go to a public forum and asks “please remove my PII”. To comply, they don’t need to remove your comments and posts, they just need to remove your username. Granted, the website owner might have the policy of deleting all the content, but you’ll have a hard time with the legal system to argue that they are not complying with the GDPR if they delete only the thing that really just identifies you uniquely.

          • Kayn@dormi.zone
            link
            fedilink
            English
            arrow-up
            1
            ·
            10 months ago

            But what if some of my comments include information that can uniquely identify me?

            That can be something like “message me on Matrix at …”

            • rglullis@communick.newsOP
              link
              fedilink
              English
              arrow-up
              2
              ·
              10 months ago

              It’s not “uniquely identifiable”. What if someone else writes your information as their own?

              Again, I feel like there is a lot of conjecturing when the best thing to do would be to get an actual lawyer to make a report indicating what about Lemmy today is in violation of the GDPR. For all the crying around it, I’d bet that the issues are not insurmountable, and I think that we should stick with common sense: those that care about actual privacy should not be using a social media platform anyway, and they should always be treating anything they put online as something that is never going to be deleted and available for any sufficiently motivated actor.